Line data Source code
1 : /* Copyright (C) 2000-2004 The PARI group.
2 :
3 : This file is part of the PARI/GP package.
4 :
5 : PARI/GP is free software; you can redistribute it and/or modify it under the
6 : terms of the GNU General Public License as published by the Free Software
7 : Foundation; either version 2 of the License, or (at your option) any later
8 : version. It is distributed in the hope that it will be useful, but WITHOUT
9 : ANY WARRANTY WHATSOEVER.
10 :
11 : Check the License for details. You should have received a copy of it, along
12 : with the package; see the file 'COPYING'. If not, write to the Free Software
13 : Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */
14 :
15 : /***********************************************************************/
16 : /** **/
17 : /** GENERIC ALGORITHMS ON BLACKBOX GROUP **/
18 : /** **/
19 : /***********************************************************************/
20 : #include "pari.h"
21 : #include "paripriv.h"
22 : #undef pow /* AIX: pow(a,b) is a macro, wrongly expanded on grp->pow(a,b,c) */
23 :
24 : #define DEBUGLEVEL DEBUGLEVEL_bb_group
25 :
26 : /***********************************************************************/
27 : /** **/
28 : /** POWERING **/
29 : /** **/
30 : /***********************************************************************/
31 :
32 : /* return (n>>(i+1-l)) & ((1<<l)-1) */
33 : static ulong
34 8318665 : int_block(GEN n, long i, long l)
35 : {
36 8318665 : long q = divsBIL(i), r = remsBIL(i)+1, lr;
37 8318286 : GEN nw = int_W(n, q);
38 8318286 : ulong w = (ulong) *nw, w2;
39 8318286 : if (r>=l) return (w>>(r-l))&((1UL<<l)-1);
40 572167 : w &= (1UL<<r)-1; lr = l-r;
41 572167 : w2 = (ulong) *int_precW(nw); w2 >>= (BITS_IN_LONG-lr);
42 572167 : return (w<<lr)|w2;
43 : }
44 :
45 : /* assume n != 0, t_INT. Compute x^|n| using sliding window powering */
46 : static GEN
47 9316671 : sliding_window_powu(GEN x, ulong n, long e, void *E, GEN (*sqr)(void*,GEN),
48 : GEN (*mul)(void*,GEN,GEN))
49 : {
50 9316671 : long i, l = expu(n), u = (1UL<<(e-1));
51 9316466 : GEN tab = cgetg(1+u, t_VEC), x2 = sqr(E, x), z = NULL;
52 :
53 9319964 : gel(tab, 1) = x;
54 24643779 : for (i = 2; i <= u; i++) gel(tab,i) = mul(E, gel(tab,i-1), x2);
55 68966023 : while (l >= 0)
56 : {
57 : long w, v;
58 : GEN tw;
59 59770658 : if (e > l+1) e = l+1;
60 59770658 : w = (n>>(l+1-e)) & ((1UL<<e)-1); v = vals(w); l-=e;
61 59785489 : tw = gel(tab, 1 + (w>>(v+1)));
62 59785489 : if (!z) z = tw;
63 : else
64 : {
65 137337186 : for (i = 1; i <= e-v; i++) z = sqr(E, z);
66 50357782 : z = mul(E, z, tw);
67 : }
68 97399432 : for (i = 1; i <= v; i++) z = sqr(E, z);
69 109903102 : while (l >= 0)
70 : {
71 100821508 : if (n&(1UL<<l)) break;
72 50242571 : z = sqr(E, z); l--;
73 : }
74 : }
75 9195365 : return z;
76 : }
77 :
78 : /* assume n != 0, t_INT. Compute x^|n| using sliding window powering */
79 : static GEN
80 226037 : sliding_window_pow(GEN x, GEN n, long e, void *E, GEN (*sqr)(void*,GEN),
81 : GEN (*mul)(void*,GEN,GEN))
82 : {
83 : pari_sp av;
84 226037 : long i, l = expi(n), u = (1UL<<(e-1));
85 226038 : GEN tab = cgetg(1+u, t_VEC);
86 226037 : GEN x2 = sqr(E, x), z = NULL;
87 :
88 225929 : gel(tab, 1) = x;
89 2994448 : for (i=2; i<=u; i++) gel(tab,i) = mul(E, gel(tab,i-1), x2);
90 226043 : av = avma;
91 7972544 : while (l >= 0)
92 : {
93 : long w, v;
94 : GEN tw;
95 7713109 : if (e > l+1) e = l+1;
96 7713109 : w = int_block(n,l,e); v = vals(w); l-=e;
97 7716900 : tw = gel(tab, 1+(w>>(v+1)));
98 7716900 : if (!z) z = tw;
99 : else
100 : {
101 40696859 : for (i = 1; i <= e-v; i++) z = sqr(E, z);
102 7475416 : z = mul(E, z, tw);
103 : }
104 14661698 : for (i = 1; i <= v; i++) z = sqr(E, z);
105 20742192 : while (l >= 0)
106 : {
107 20482924 : if (gc_needed(av,1))
108 : {
109 1043 : if (DEBUGMEM>1) pari_warn(warnmem,"sliding_window_pow (%ld)", l);
110 1043 : z = gerepilecopy(av, z);
111 : }
112 20482924 : if (int_bit(n,l)) break;
113 12977627 : z = sqr(E, z); l--;
114 : }
115 : }
116 259435 : return z;
117 : }
118 :
119 : /* assume n != 0, t_INT. Compute x^|n| using leftright binary powering */
120 : static GEN
121 100131299 : leftright_binary_powu(GEN x, ulong n, void *E, GEN (*sqr)(void*,GEN),
122 : GEN (*mul)(void*,GEN,GEN))
123 : {
124 100131299 : pari_sp av = avma;
125 : GEN y;
126 : int j;
127 :
128 100131299 : if (n == 1) return x;
129 100131299 : y = x; j = 1+bfffo(n);
130 : /* normalize, i.e set highest bit to 1 (we know n != 0) */
131 100131299 : n<<=j; j = BITS_IN_LONG-j;
132 : /* first bit is now implicit */
133 326218354 : for (; j; n<<=1,j--)
134 : {
135 226124242 : y = sqr(E,y);
136 226083728 : if (n & HIGHBIT) y = mul(E,y,x); /* first bit set: multiply by base */
137 226075746 : if (gc_needed(av,1))
138 : {
139 0 : if (DEBUGMEM>1) pari_warn(warnmem,"leftright_powu (%d)", j);
140 0 : y = gerepilecopy(av, y);
141 : }
142 : }
143 100094112 : return y;
144 : }
145 :
146 : GEN
147 112094127 : gen_powu_i(GEN x, ulong n, void *E, GEN (*sqr)(void*,GEN),
148 : GEN (*mul)(void*,GEN,GEN))
149 : {
150 112094127 : if (n == 1) return x;
151 109445086 : if (n < 512)
152 100130807 : return leftright_binary_powu(x, n, E, sqr, mul);
153 : else
154 9314279 : return sliding_window_powu(x, n, n < (1UL<<25)? 2: 3, E, sqr, mul);
155 : }
156 :
157 : GEN
158 204693 : gen_powu(GEN x, ulong n, void *E, GEN (*sqr)(void*,GEN),
159 : GEN (*mul)(void*,GEN,GEN))
160 : {
161 204693 : pari_sp av = avma;
162 204693 : if (n == 1) return gcopy(x);
163 171129 : return gerepilecopy(av, gen_powu_i(x,n,E,sqr,mul));
164 : }
165 :
166 : GEN
167 41025321 : gen_pow_i(GEN x, GEN n, void *E, GEN (*sqr)(void*,GEN),
168 : GEN (*mul)(void*,GEN,GEN))
169 : {
170 : long l, e;
171 41025321 : if (lgefint(n)==3) return gen_powu_i(x, uel(n,2), E, sqr, mul);
172 226034 : l = expi(n);
173 226037 : if (l<=64) e = 3;
174 167392 : else if (l<=160) e = 4;
175 85800 : else if (l<=384) e = 5;
176 22997 : else if (l<=896) e = 6;
177 11527 : else e = 7;
178 226037 : return sliding_window_pow(x, n, e, E, sqr, mul);
179 : }
180 :
181 : GEN
182 11034653 : gen_pow(GEN x, GEN n, void *E, GEN (*sqr)(void*,GEN),
183 : GEN (*mul)(void*,GEN,GEN))
184 : {
185 11034653 : pari_sp av = avma;
186 11034653 : return gerepilecopy(av, gen_pow_i(x,n,E,sqr,mul));
187 : }
188 :
189 : /* assume n > 0. Compute x^n using left-right binary powering */
190 : GEN
191 1325666 : gen_powu_fold_i(GEN x, ulong n, void *E, GEN (*sqr)(void*,GEN),
192 : GEN (*msqr)(void*,GEN))
193 : {
194 1325666 : pari_sp av = avma;
195 : GEN y;
196 : int j;
197 :
198 1325666 : if (n == 1) return x;
199 1325666 : y = x; j = 1+bfffo(n);
200 : /* normalize, i.e set highest bit to 1 (we know n != 0) */
201 1325666 : n<<=j; j = BITS_IN_LONG-j;
202 : /* first bit is now implicit */
203 5896373 : for (; j; n<<=1,j--)
204 : {
205 4570775 : if (n & HIGHBIT) y = msqr(E,y); /* first bit set: multiply by base */
206 3347225 : else y = sqr(E,y);
207 4570723 : if (gc_needed(av,1))
208 : {
209 0 : if (DEBUGMEM>1) pari_warn(warnmem,"gen_powu_fold (%d)", j);
210 0 : y = gerepilecopy(av, y);
211 : }
212 : }
213 1325598 : return y;
214 : }
215 : GEN
216 5019 : gen_powu_fold(GEN x, ulong n, void *E, GEN (*sqr)(void*,GEN),
217 : GEN (*msqr)(void*,GEN))
218 : {
219 5019 : pari_sp av = avma;
220 5019 : if (n == 1) return gcopy(x);
221 5019 : return gerepilecopy(av, gen_powu_fold_i(x,n,E,sqr,msqr));
222 : }
223 :
224 : /* assume N != 0, t_INT. Compute x^|N| using left-right binary powering */
225 : GEN
226 688637 : gen_pow_fold_i(GEN x, GEN N, void *E, GEN (*sqr)(void*,GEN),
227 : GEN (*msqr)(void*,GEN))
228 : {
229 688637 : long ln = lgefint(N);
230 688637 : if (ln == 3) return gen_powu_fold_i(x, N[2], E, sqr, msqr);
231 : else
232 : {
233 145822 : GEN nd = int_MSW(N), y = x;
234 145822 : ulong n = *nd;
235 : long i;
236 : int j;
237 145822 : pari_sp av = avma;
238 :
239 145822 : if (n == 1)
240 7353 : j = 0;
241 : else
242 : {
243 138469 : j = 1+bfffo(n); /* < BIL */
244 : /* normalize, i.e set highest bit to 1 (we know n != 0) */
245 138469 : n <<= j; j = BITS_IN_LONG - j;
246 : }
247 : /* first bit is now implicit */
248 145822 : for (i=ln-2;;)
249 : {
250 54332772 : for (; j; n<<=1,j--)
251 : {
252 53562498 : if (n & HIGHBIT) y = msqr(E,y); /* first bit set: multiply by base */
253 37445235 : else y = sqr(E,y);
254 53565128 : if (gc_needed(av,1))
255 : {
256 0 : if (DEBUGMEM>1) pari_warn(warnmem,"gen_pow_fold (%ld,%d)", i,j);
257 0 : y = gerepilecopy(av, y);
258 : }
259 : }
260 843841 : if (--i == 0) return y;
261 884073 : nd = int_precW(nd);
262 884073 : n = *nd; j = BITS_IN_LONG;
263 : }
264 : }
265 : }
266 : GEN
267 542815 : gen_pow_fold(GEN x, GEN n, void *E, GEN (*sqr)(void*,GEN),
268 : GEN (*msqr)(void*,GEN))
269 : {
270 542815 : pari_sp av = avma;
271 542815 : return gerepilecopy(av, gen_pow_fold_i(x,n,E,sqr,msqr));
272 : }
273 :
274 : GEN
275 147 : gen_pow_init(GEN x, GEN n, long k, void *E, GEN (*sqr)(void*,GEN), GEN (*mul)(void*,GEN,GEN))
276 : {
277 147 : long i, j, l = expi(n);
278 147 : long m = 1UL<<(k-1);
279 147 : GEN x2 = sqr(E, x), y = gcopy(x);
280 147 : GEN R = cgetg(m+1, t_VEC);
281 644 : for(i = 1; i <= m; i++)
282 : {
283 497 : GEN C = cgetg(l+1, t_VEC);
284 497 : gel(C,1) = y;
285 27118 : for(j = 2; j <= l; j++)
286 26621 : gel(C,j) = sqr(E, gel(C,j-1));
287 497 : gel(R,i) = C;
288 497 : y = mul(E, y, x2);
289 : }
290 147 : return R;
291 : }
292 :
293 : GEN
294 53330 : gen_pow_table(GEN R, GEN n, void *E, GEN (*one)(void*), GEN (*mul)(void*,GEN,GEN))
295 : {
296 53330 : long e = expu(lg(R)-1) + 1;
297 53330 : long l = expi(n);
298 : long i, w;
299 53330 : GEN z = one(E), tw;
300 1241261 : for(i=0; i<=l; )
301 : {
302 1187931 : if (int_bit(n, i)==0) { i++; continue; }
303 605949 : if (i+e-1>l) e = l+1-i;
304 605949 : w = int_block(n,i+e-1,e);
305 605949 : tw = gmael(R, 1+(w>>1), i+1);
306 605949 : z = mul(E, z, tw);
307 605949 : i += e;
308 : }
309 53330 : return z;
310 : }
311 :
312 : GEN
313 28682285 : gen_powers(GEN x, long l, int use_sqr, void *E, GEN (*sqr)(void*,GEN),
314 : GEN (*mul)(void*,GEN,GEN), GEN (*one)(void*))
315 : {
316 : long i;
317 28682285 : GEN V = cgetg(l+2,t_VEC);
318 28680795 : gel(V,1) = one(E); if (l==0) return V;
319 28656768 : gel(V,2) = gcopy(x); if (l==1) return V;
320 12575864 : gel(V,3) = sqr(E,x);
321 12578887 : if (use_sqr)
322 40481335 : for(i = 4; i < l+2; i++)
323 30872014 : gel(V,i) = (i&1)? sqr(E,gel(V, (i+1)>>1))
324 30872608 : : mul(E,gel(V, i-1),x);
325 : else
326 7290438 : for(i = 4; i < l+2; i++)
327 4320912 : gel(V,i) = mul(E,gel(V,i-1),x);
328 12578253 : return V;
329 : }
330 :
331 : GEN
332 57408211 : producttree_scheme(long n)
333 : {
334 : GEN v, w;
335 : long i, j, k, u, l;
336 57408211 : if (n<=2) return mkvecsmall(n);
337 47759463 : u = expu(n-1);
338 47759486 : v = cgetg(n+1,t_VECSMALL);
339 47759521 : w = cgetg(n+1,t_VECSMALL);
340 47759857 : v[1] = n; l = 1;
341 156040461 : for (i=1; i<=u; i++)
342 : {
343 416116817 : for(j=1, k=1; j<=l; j++, k+=2)
344 : {
345 307836213 : long vj = v[j], v2 = vj>>1;
346 307836213 : w[k] = vj-v2;
347 307836213 : w[k+1] = v2;
348 : }
349 108280604 : swap(v,w); l<<=1;
350 : }
351 47759857 : fixlg(v, l+1); set_avma((pari_sp)v); return v;
352 : }
353 :
354 : GEN
355 60844372 : gen_product(GEN x, void *E, GEN (*mul)(void *,GEN,GEN))
356 : {
357 : pari_sp av;
358 60844372 : long i, k, l = lg(x);
359 : pari_timer ti;
360 : GEN y, v;
361 :
362 60844372 : if (l <= 2) return l == 1? gen_1: gcopy(gel(x,1));
363 56750992 : y = cgetg(l, t_VEC); av = avma;
364 56751270 : v = producttree_scheme(l-1);
365 56751635 : l = lg(v);
366 56751635 : if (DEBUGLEVEL>7) timer_start(&ti);
367 414671957 : for (k = i = 1; k < l; i += v[k++])
368 357923069 : gel(y,k) = v[k]==1? gel(x,i): mul(E, gel(x,i), gel(x,i+1));
369 163267560 : while (k > 2)
370 : {
371 106516196 : long n = k - 1;
372 106516196 : if (DEBUGLEVEL>7) timer_printf(&ti,"gen_product: remaining objects %ld",n);
373 407670878 : for (k = i = 1; i < n; i += 2) gel(y,k++) = mul(E, gel(y,i), gel(y,i+1));
374 106517881 : if (gc_needed(av,1)) gerepilecoeffs(av, y+1, k-1);
375 : }
376 56751364 : return gel(y,1);
377 : }
378 :
379 : /***********************************************************************/
380 : /** **/
381 : /** DISCRETE LOGARITHM **/
382 : /** **/
383 : /***********************************************************************/
384 : static GEN
385 69831174 : iter_rho(GEN x, GEN g, GEN q, GEN A, ulong h, void *E, const struct bb_group *grp)
386 : {
387 69831174 : GEN a = gel(A,1), b = gel(A,2), c = gel(A,3);
388 69831174 : switch((h | grp->hash(a)) % 3UL)
389 : {
390 23287792 : case 0: return mkvec3(grp->pow(E,a,gen_2), Fp_mulu(b,2,q), Fp_mulu(c,2,q));
391 23275179 : case 1: return mkvec3(grp->mul(E,a,x), addiu(b,1), c);
392 23268203 : case 2: return mkvec3(grp->mul(E,a,g), b, addiu(c,1));
393 : }
394 : return NULL; /* LCOV_EXCL_LINE */
395 : }
396 :
397 : /*Generic Pollard rho discrete log algorithm*/
398 : static GEN
399 49 : gen_Pollard_log(GEN x, GEN g, GEN q, void *E, const struct bb_group *grp)
400 : {
401 49 : pari_sp av=avma;
402 49 : GEN A, B, l, sqrt4q = sqrti(shifti(q,4));
403 49 : ulong i, h = 0, imax = itou_or_0(sqrt4q);
404 49 : if (!imax) imax = ULONG_MAX;
405 : do {
406 49 : rho_restart:
407 49 : A = B = mkvec3(x,gen_1,gen_0);
408 49 : i=0;
409 : do {
410 23277058 : if (i>imax)
411 : {
412 0 : h++;
413 0 : if (DEBUGLEVEL)
414 0 : pari_warn(warner,"changing Pollard rho hash seed to %ld",h);
415 0 : goto rho_restart;
416 : }
417 23277058 : A = iter_rho(x, g, q, A, h, E, grp);
418 23277058 : B = iter_rho(x, g, q, B, h, E, grp);
419 23277058 : B = iter_rho(x, g, q, B, h, E, grp);
420 23277058 : if (gc_needed(av,2))
421 : {
422 1625 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_Pollard_log");
423 1625 : gerepileall(av, 2, &A, &B);
424 : }
425 23277058 : i++;
426 23277058 : } while (!grp->equal(gel(A,1), gel(B,1)));
427 49 : gel(A,2) = modii(gel(A,2), q);
428 49 : gel(B,2) = modii(gel(B,2), q);
429 49 : h++;
430 49 : } while (equalii(gel(A,2), gel(B,2)));
431 49 : l = Fp_div(Fp_sub(gel(B,3), gel(A,3),q),Fp_sub(gel(A,2), gel(B,2), q), q);
432 49 : return gerepileuptoint(av, l);
433 : }
434 :
435 : /* compute a hash of g^(i-1), 1<=i<=n. Return [sorted hash, perm, g^-n] */
436 : GEN
437 723137 : gen_Shanks_init(GEN g, long n, void *E, const struct bb_group *grp)
438 : {
439 723137 : GEN p1 = g, G, perm, table = cgetg(n+1,t_VECSMALL);
440 723137 : pari_sp av=avma;
441 : long i;
442 723137 : table[1] = grp->hash(grp->pow(E,g,gen_0));
443 4107090 : for (i=2; i<=n; i++)
444 : {
445 3383953 : table[i] = grp->hash(p1);
446 3383953 : p1 = grp->mul(E,p1,g);
447 3383953 : if (gc_needed(av,2))
448 : {
449 0 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_Shanks_log, baby = %ld", i);
450 0 : p1 = gerepileupto(av, p1);
451 : }
452 : }
453 723137 : G = gerepileupto(av, grp->pow(E,p1,gen_m1)); /* g^-n */
454 723137 : perm = vecsmall_indexsort(table);
455 723137 : table = vecsmallpermute(table,perm);
456 723137 : return mkvec4(table,perm,g,G);
457 : }
458 : /* T from gen_Shanks_init(g,n). Return v < n*N such that x = g^v or NULL */
459 : GEN
460 728513 : gen_Shanks(GEN T, GEN x, ulong N, void *E, const struct bb_group *grp)
461 : {
462 728513 : pari_sp av=avma;
463 728513 : GEN table = gel(T,1), perm = gel(T,2), g = gel(T,3), G = gel(T,4);
464 728513 : GEN p1 = x;
465 728513 : long n = lg(table)-1;
466 : ulong k;
467 4360123 : for (k=0; k<N; k++)
468 : { /* p1 = x G^k, G = g^-n */
469 4025990 : long h = grp->hash(p1), i = zv_search(table, h);
470 4025990 : if (i)
471 : {
472 395190 : do i--; while (i && table[i] == h);
473 394380 : for (i++; i <= n && table[i] == h; i++)
474 : {
475 394380 : GEN v = addiu(muluu(n,k), perm[i]-1);
476 394380 : if (grp->equal(grp->pow(E,g,v),x)) return gerepileuptoint(av,v);
477 0 : if (DEBUGLEVEL)
478 0 : err_printf("gen_Shanks_log: false positive %lu, %lu\n", k,h);
479 : }
480 : }
481 3631610 : p1 = grp->mul(E,p1,G);
482 3631610 : if (gc_needed(av,2))
483 : {
484 0 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_Shanks_log, k = %lu", k);
485 0 : p1 = gerepileupto(av, p1);
486 : }
487 : }
488 334133 : return NULL;
489 : }
490 : /* Generic Shanks baby-step/giant-step algorithm. Return log_g(x), ord g = q.
491 : * One-shot: use gen_Shanks_init/log if many logs are desired; early abort
492 : * if log < sqrt(q) */
493 : static GEN
494 1516385 : gen_Shanks_log(GEN x, GEN g, GEN q, void *E, const struct bb_group *grp)
495 : {
496 1516385 : pari_sp av=avma, av1;
497 : long lbaby, i, k;
498 : GEN p1, table, giant, perm, ginv;
499 1516385 : p1 = sqrti(q);
500 1516385 : if (abscmpiu(p1,LGBITS) >= 0)
501 0 : pari_err_OVERFLOW("gen_Shanks_log [order too large]");
502 1516385 : lbaby = itos(p1)+1; table = cgetg(lbaby+1,t_VECSMALL);
503 1516386 : ginv = grp->pow(E,g,gen_m1);
504 1516386 : av1 = avma;
505 5028927 : for (p1=x, i=1;;i++)
506 : {
507 5028927 : if (grp->equal1(p1)) return gc_stoi(av, i-1);
508 4878047 : table[i] = grp->hash(p1); if (i==lbaby) break;
509 3512543 : p1 = grp->mul(E,p1,ginv);
510 3512541 : if (gc_needed(av1,2))
511 : {
512 6 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_Shanks_log, baby = %ld", i);
513 6 : p1 = gerepileupto(av1, p1);
514 : }
515 : }
516 1365505 : p1 = giant = gerepileupto(av1, grp->mul(E,x,grp->pow(E, p1, gen_m1)));
517 1365506 : perm = vecsmall_indexsort(table);
518 1365506 : table = vecsmallpermute(table,perm);
519 1365506 : av1 = avma;
520 2184582 : for (k=1; k<= lbaby; k++)
521 : {
522 2184582 : long h = grp->hash(p1), i = zv_search(table, h);
523 2184582 : if (i)
524 : {
525 2731014 : while (table[i] == h && i) i--;
526 1365508 : for (i++; i <= lbaby && table[i] == h; i++)
527 : {
528 1365507 : GEN v = addiu(mulss(lbaby-1,k),perm[i]-1);
529 1365506 : if (grp->equal(grp->pow(E,g,v),x)) return gerepileuptoint(av,v);
530 1 : if (DEBUGLEVEL)
531 0 : err_printf("gen_Shanks_log: false positive %ld, %lu\n", k,h);
532 : }
533 : }
534 819076 : p1 = grp->mul(E,p1,giant);
535 819076 : if (gc_needed(av1,2))
536 : {
537 0 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_Shanks_log, k = %ld", k);
538 0 : p1 = gerepileupto(av1, p1);
539 : }
540 : }
541 0 : set_avma(av); return cgetg(1, t_VEC); /* no solution */
542 : }
543 :
544 : /*Generic discrete logarithme in a group of prime order p*/
545 : GEN
546 6131417 : gen_plog(GEN x, GEN g, GEN p, void *E, const struct bb_group *grp)
547 : {
548 6131417 : if (grp->easylog)
549 : {
550 6054077 : GEN e = grp->easylog(E, x, g, p);
551 6054076 : if (e) return e;
552 : }
553 2754951 : if (grp->equal1(x)) return gen_0;
554 2748637 : if (grp->equal(x,g)) return gen_1;
555 1516434 : if (expi(p)<32) return gen_Shanks_log(x,g,p,E,grp);
556 49 : return gen_Pollard_log(x, g, p, E, grp);
557 : }
558 :
559 : GEN
560 11133446 : get_arith_ZZM(GEN o)
561 : {
562 11133446 : if (!o) return NULL;
563 11133446 : switch(typ(o))
564 : {
565 3703302 : case t_INT:
566 3703302 : if (signe(o) > 0) return mkvec2(o, Z_factor(o));
567 7 : break;
568 1369945 : case t_MAT:
569 1369945 : if (is_Z_factorpos(o)) return mkvec2(factorback(o), o);
570 14 : break;
571 6060201 : case t_VEC:
572 6060201 : if (lg(o) == 3 && signe(gel(o,1)) > 0 && is_Z_factorpos(gel(o,2))) return o;
573 0 : break;
574 : }
575 24 : pari_err_TYPE("generic discrete logarithm (order factorization)",o);
576 : return NULL; /* LCOV_EXCL_LINE */
577 : }
578 : GEN
579 1365894 : get_arith_Z(GEN o)
580 : {
581 1365894 : if (!o) return NULL;
582 1365894 : switch(typ(o))
583 : {
584 1118350 : case t_INT:
585 1118350 : if (signe(o) > 0) return o;
586 7 : break;
587 14 : case t_MAT:
588 14 : o = factorback(o);
589 0 : if (typ(o) == t_INT && signe(o) > 0) return o;
590 0 : break;
591 247523 : case t_VEC:
592 247523 : if (lg(o) != 3) break;
593 247523 : o = gel(o,1);
594 247523 : if (typ(o) == t_INT && signe(o) > 0) return o;
595 0 : break;
596 : }
597 14 : pari_err_TYPE("generic discrete logarithm (order factorization)",o);
598 : return NULL; /* LCOV_EXCL_LINE */
599 : }
600 :
601 : /* Generic Pohlig-Hellman discrete logarithm: smallest integer n >= 0 such that
602 : * g^n=a. Assume ord(g) | ord; grp->easylog() is an optional trapdoor
603 : * function that catches easy logarithms */
604 : GEN
605 4688430 : gen_PH_log(GEN a, GEN g, GEN ord, void *E, const struct bb_group *grp)
606 : {
607 4688430 : pari_sp av = avma;
608 : GEN v, ginv, fa, ex;
609 : long i, j, l;
610 :
611 4688430 : if (grp->equal(g, a)) /* frequent special case */
612 978128 : return grp->equal1(g)? gen_0: gen_1;
613 3710300 : if (grp->easylog)
614 : {
615 3660390 : GEN e = grp->easylog(E, a, g, ord);
616 3660358 : if (e) return e;
617 : }
618 2151696 : v = get_arith_ZZM(ord);
619 2151718 : ord= gel(v,1);
620 2151718 : fa = gel(v,2);
621 2151718 : ex = gel(fa,2);
622 2151718 : fa = gel(fa,1); l = lg(fa);
623 2151718 : ginv = grp->pow(E,g,gen_m1);
624 2151718 : v = cgetg(l, t_VEC);
625 6243180 : for (i = 1; i < l; i++)
626 : {
627 4091469 : GEN q = gel(fa,i), qj, gq, nq, ginv0, a0, t0;
628 4091469 : long e = itos(gel(ex,i));
629 4091469 : if (DEBUGLEVEL>5)
630 0 : err_printf("Pohlig-Hellman: DL mod %Ps^%ld\n",q,e);
631 4091469 : qj = new_chunk(e+1);
632 4091469 : gel(qj,0) = gen_1;
633 4091469 : gel(qj,1) = q;
634 5929143 : for (j = 2; j <= e; j++) gel(qj,j) = mulii(gel(qj,j-1), q);
635 4091469 : t0 = diviiexact(ord, gel(qj,e));
636 4091469 : a0 = grp->pow(E, a, t0);
637 4091469 : ginv0 = grp->pow(E, ginv, t0); /* ord(ginv0) | q^e */
638 4091469 : if (grp->equal1(ginv0)) { gel(v,i) = mkintmod(gen_0, gen_1); continue; }
639 4091462 : do gq = grp->pow(E,g, mulii(t0, gel(qj,--e))); while (grp->equal1(gq));
640 : /* ord(gq) = q */
641 4091455 : nq = gen_0;
642 4091455 : for (j = 0;; j++)
643 1837639 : { /* nq = sum_{i<j} b_i q^i */
644 5929094 : GEN b = grp->pow(E,a0, gel(qj,e-j));
645 : /* cheap early abort: wrong local order */
646 5929094 : if (j == 0 && !grp->equal1(grp->pow(E,b,q))) {
647 7 : set_avma(av); return cgetg(1, t_VEC);
648 : }
649 5929086 : b = gen_plog(b, gq, q, E, grp);
650 5929087 : if (typ(b) != t_INT) { set_avma(av); return cgetg(1, t_VEC); }
651 5929087 : nq = addii(nq, mulii(b, gel(qj,j)));
652 5929087 : if (j == e) break;
653 :
654 1837639 : a0 = grp->mul(E,a0, grp->pow(E,ginv0, b));
655 1837639 : ginv0 = grp->pow(E,ginv0, q);
656 : }
657 4091448 : gel(v,i) = mkintmod(nq, gel(qj,e+1));
658 : }
659 2151711 : return gerepileuptoint(av, lift(chinese1_coprime_Z(v)));
660 : }
661 :
662 : /***********************************************************************/
663 : /** **/
664 : /** ORDER OF AN ELEMENT **/
665 : /** **/
666 : /***********************************************************************/
667 : /*Find the exact order of a assuming a^o==1*/
668 : GEN
669 4088277 : gen_order(GEN a, GEN o, void *E, const struct bb_group *grp)
670 : {
671 4088277 : pari_sp av = avma;
672 : long i, l;
673 : GEN m;
674 :
675 4088277 : m = get_arith_ZZM(o);
676 4088284 : if (!m) pari_err_TYPE("gen_order [missing order]",a);
677 4088284 : o = gel(m,1);
678 4088284 : m = gel(m,2); l = lgcols(m);
679 12493161 : for (i = l-1; i; i--)
680 : {
681 8404894 : GEN t, y, p = gcoeff(m,i,1);
682 8404894 : long j, e = itos(gcoeff(m,i,2));
683 8404892 : if (l == 2) {
684 1026203 : t = gen_1;
685 1026203 : y = a;
686 : } else {
687 7378689 : t = diviiexact(o, powiu(p,e));
688 7378661 : y = grp->pow(E, a, t);
689 : }
690 8404875 : if (grp->equal1(y)) o = t;
691 : else {
692 7851647 : for (j = 1; j < e; j++)
693 : {
694 2857329 : y = grp->pow(E, y, p);
695 2857335 : if (grp->equal1(y)) break;
696 : }
697 5782883 : if (j < e) {
698 788565 : if (j > 1) p = powiu(p, j);
699 788565 : o = mulii(t, p);
700 : }
701 : }
702 : }
703 4088267 : return gerepilecopy(av, o);
704 : }
705 :
706 : /*Find the exact order of a assuming a^o==1, return [order,factor(order)] */
707 : GEN
708 5467 : gen_factored_order(GEN a, GEN o, void *E, const struct bb_group *grp)
709 : {
710 5467 : pari_sp av = avma;
711 : long i, l, ind;
712 : GEN m, F, P;
713 :
714 5467 : m = get_arith_ZZM(o);
715 5467 : if (!m) pari_err_TYPE("gen_factored_order [missing order]",a);
716 5467 : o = gel(m,1);
717 5467 : m = gel(m,2); l = lgcols(m);
718 5467 : P = cgetg(l, t_COL); ind = 1;
719 5467 : F = cgetg(l, t_COL);
720 18879 : for (i = l-1; i; i--)
721 : {
722 13412 : GEN t, y, p = gcoeff(m,i,1);
723 13412 : long j, e = itos(gcoeff(m,i,2));
724 13412 : if (l == 2) {
725 672 : t = gen_1;
726 672 : y = a;
727 : } else {
728 12740 : t = diviiexact(o, powiu(p,e));
729 12740 : y = grp->pow(E, a, t);
730 : }
731 13412 : if (grp->equal1(y)) o = t;
732 : else {
733 16198 : for (j = 1; j < e; j++)
734 : {
735 4655 : y = grp->pow(E, y, p);
736 4655 : if (grp->equal1(y)) break;
737 : }
738 12250 : gel(P,ind) = p;
739 12250 : gel(F,ind) = utoipos(j);
740 12250 : if (j < e) {
741 707 : if (j > 1) p = powiu(p, j);
742 707 : o = mulii(t, p);
743 : }
744 12250 : ind++;
745 : }
746 : }
747 5467 : setlg(P, ind); P = vecreverse(P);
748 5467 : setlg(F, ind); F = vecreverse(F);
749 5467 : return gerepilecopy(av, mkvec2(o, mkmat2(P,F)));
750 : }
751 :
752 : /* E has order o[1], ..., or o[#o], draw random points until all solutions
753 : * but one are eliminated */
754 : GEN
755 980 : gen_select_order(GEN o, void *E, const struct bb_group *grp)
756 : {
757 980 : pari_sp ltop = avma, btop;
758 : GEN lastgood, so, vo;
759 980 : long lo = lg(o), nbo=lo-1;
760 980 : if (nbo == 1) return icopy(gel(o,1));
761 441 : so = ZV_indexsort(o); /* minimize max( o[i+1] - o[i] ) */
762 441 : vo = zero_zv(lo);
763 441 : lastgood = gel(o, so[nbo]);
764 441 : btop = avma;
765 : for(;;)
766 0 : {
767 441 : GEN lasto = gen_0;
768 441 : GEN P = grp->rand(E), t = mkvec(gen_0);
769 : long i;
770 567 : for (i = 1; i < lo; i++)
771 : {
772 567 : GEN newo = gel(o, so[i]);
773 567 : if (vo[i]) continue;
774 567 : t = grp->mul(E,t, grp->pow(E, P, subii(newo,lasto)));/*P^o[i]*/
775 567 : lasto = newo;
776 567 : if (!grp->equal1(t))
777 : {
778 483 : if (--nbo == 1) { set_avma(ltop); return icopy(lastgood); }
779 42 : vo[i] = 1;
780 : }
781 : else
782 84 : lastgood = lasto;
783 : }
784 0 : set_avma(btop);
785 : }
786 : }
787 :
788 : /*******************************************************************/
789 : /* */
790 : /* n-th ROOT */
791 : /* */
792 : /*******************************************************************/
793 : /* Assume l is prime. Return a generator of the l-th Sylow and set *zeta to an element
794 : * of order l.
795 : *
796 : * q = l^e*r, e>=1, (r,l)=1
797 : * UNCLEAN */
798 : static GEN
799 283506 : gen_lgener(GEN l, long e, GEN r,GEN *zeta, void *E, const struct bb_group *grp)
800 : {
801 283506 : const pari_sp av1 = avma;
802 : GEN m, m1;
803 : long i;
804 219991 : for (;; set_avma(av1))
805 : {
806 503497 : m1 = m = grp->pow(E, grp->rand(E), r);
807 503494 : if (grp->equal1(m)) continue;
808 925894 : for (i=1; i<e; i++)
809 : {
810 642389 : m = grp->pow(E,m,l);
811 642389 : if (grp->equal1(m)) break;
812 : }
813 408177 : if (i==e) break;
814 : }
815 283506 : *zeta = m; return m1;
816 : }
817 :
818 : /* Let G be a cyclic group of order o>1. Returns a (random) generator */
819 :
820 : GEN
821 15883 : gen_gener(GEN o, void *E, const struct bb_group *grp)
822 : {
823 15883 : pari_sp ltop = avma, av;
824 : long i, lpr;
825 15883 : GEN F, N, pr, z=NULL;
826 15883 : F = get_arith_ZZM(o);
827 15883 : N = gel(F,1); pr = gel(F,2); lpr = lgcols(pr);
828 15883 : av = avma;
829 :
830 51562 : for (i = 1; i < lpr; i++)
831 : {
832 35679 : GEN l = gcoeff(pr,i,1);
833 35679 : long e = itos(gcoeff(pr,i,2));
834 35679 : GEN r = diviiexact(N,powis(l,e));
835 35679 : GEN zetan, zl = gen_lgener(l,e,r,&zetan,E,grp);
836 35679 : z = i==1 ? zl: grp->mul(E,z,zl);
837 35679 : if (gc_needed(av,2))
838 : { /* n can have lots of prime factors*/
839 0 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_gener");
840 0 : z = gerepileupto(av, z);
841 : }
842 : }
843 15883 : return gerepileupto(ltop, z);
844 : }
845 :
846 : /* solve x^l = a , l prime in G of order q.
847 : *
848 : * q = (l^e)*r, e >= 1, (r,l) = 1
849 : * y is not an l-th power, hence generates the l-Sylow of G
850 : * m = y^(q/l) != 1 */
851 : static GEN
852 263598 : gen_Shanks_sqrtl(GEN a, GEN l, long e, GEN r, GEN y, GEN m,void *E,
853 : const struct bb_group *grp)
854 : {
855 263598 : pari_sp av = avma;
856 : long k;
857 : GEN p1, u1, u2, v, w, z, dl;
858 :
859 263598 : (void)bezout(r,l,&u1,&u2);
860 263599 : v = grp->pow(E,a,u2);
861 263597 : w = grp->pow(E,v,l);
862 263595 : w = grp->mul(E,w,grp->pow(E,a,gen_m1));
863 465925 : while (!grp->equal1(w))
864 : {
865 202498 : k = 0;
866 202498 : p1 = w;
867 : do
868 : {
869 361457 : z = p1; p1 = grp->pow(E,p1,l);
870 361457 : k++;
871 361457 : } while(!grp->equal1(p1));
872 202498 : if (k==e) return gc_NULL(av);
873 202330 : dl = gen_plog(z,m,l,E,grp);
874 202329 : if (typ(dl) != t_INT) return gc_NULL(av);
875 202329 : dl = negi(dl);
876 202329 : p1 = grp->pow(E, grp->pow(E,y, dl), powiu(l,e-k-1));
877 202330 : m = grp->pow(E,m,dl);
878 202329 : e = k;
879 202329 : v = grp->mul(E,p1,v);
880 202329 : y = grp->pow(E,p1,l);
881 202329 : w = grp->mul(E,y,w);
882 202330 : if (gc_needed(av,1))
883 : {
884 0 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_Shanks_sqrtl");
885 0 : gerepileall(av,4, &y,&v,&w,&m);
886 : }
887 : }
888 263425 : return gerepilecopy(av, v);
889 : }
890 : /* Return one solution of x^n = a in a cyclic group of order q
891 : *
892 : * 1) If there is no solution, return NULL.
893 : *
894 : * 2) If there is a solution, there are exactly m of them [m = gcd(q-1,n)].
895 : * If zetan!=NULL, *zetan is set to a primitive m-th root of unity so that
896 : * the set of solutions is { x*zetan^k; k=0..m-1 }
897 : */
898 : GEN
899 253771 : gen_Shanks_sqrtn(GEN a, GEN n, GEN q, GEN *zetan, void *E, const struct bb_group *grp)
900 : {
901 253771 : pari_sp ltop = avma;
902 : GEN m, u1, u2, z;
903 : int is_1;
904 :
905 253771 : if (is_pm1(n))
906 : {
907 0 : if (zetan) *zetan = grp->pow(E,a,gen_0);
908 0 : return signe(n) < 0? grp->pow(E,a,gen_m1): gcopy(a);
909 : }
910 253771 : is_1 = grp->equal1(a);
911 253771 : if (is_1 && !zetan) return gcopy(a);
912 :
913 245038 : m = bezout(n,q,&u1,&u2);
914 245040 : z = grp->pow(E,a,gen_0);
915 245039 : if (!is_pm1(m))
916 : {
917 244640 : GEN F = Z_factor(m);
918 : long i, j, e;
919 : GEN r, zeta, y, l;
920 244639 : pari_sp av1 = avma;
921 492295 : for (i = nbrows(F); i; i--)
922 : {
923 247825 : l = gcoeff(F,i,1);
924 247825 : j = itos(gcoeff(F,i,2));
925 247825 : e = Z_pvalrem(q,l,&r);
926 247827 : y = gen_lgener(l,e,r,&zeta,E,grp);
927 247827 : if (zetan) z = grp->mul(E,z, grp->pow(E,y,powiu(l,e-j)));
928 247827 : if (!is_1) {
929 : do
930 : {
931 263598 : a = gen_Shanks_sqrtl(a,l,e,r,y,zeta,E,grp);
932 263595 : if (!a) return gc_NULL(ltop);
933 263427 : } while (--j);
934 : }
935 247656 : if (gc_needed(ltop,1))
936 : { /* n can have lots of prime factors*/
937 0 : if(DEBUGMEM>1) pari_warn(warnmem,"gen_Shanks_sqrtn");
938 0 : gerepileall(av1, zetan? 2: 1, &a, &z);
939 : }
940 : }
941 : }
942 244869 : if (!equalii(m, n))
943 462 : a = grp->pow(E,a,modii(u1,q));
944 244869 : if (zetan)
945 : {
946 252 : *zetan = z;
947 252 : gerepileall(ltop,2,&a,zetan);
948 : }
949 : else /* is_1 is 0: a was modified above -> gerepileupto valid */
950 244617 : a = gerepileupto(ltop, a);
951 244870 : return a;
952 : }
953 :
954 : /*******************************************************************/
955 : /* */
956 : /* structure of groups with pairing */
957 : /* */
958 : /*******************************************************************/
959 :
960 : static GEN
961 146671 : ellgroup_d2(GEN N, GEN d)
962 : {
963 146671 : GEN r = gcdii(N, d);
964 146671 : GEN F1 = gel(Z_factor(r), 1);
965 146671 : long i, j, l1 = lg(F1);
966 146671 : GEN F = cgetg(3, t_MAT);
967 146671 : gel(F,1) = cgetg(l1, t_COL);
968 146671 : gel(F,2) = cgetg(l1, t_COL);
969 271747 : for (i = 1, j = 1; i < l1; ++i)
970 : {
971 125076 : long v = Z_pval(N, gel(F1, i));
972 125076 : if (v<=1) continue;
973 68558 : gcoeff(F, j , 1) = gel(F1, i);
974 68558 : gcoeff(F, j++, 2) = stoi(v);
975 : }
976 146671 : setlg(F[1],j); setlg(F[2],j);
977 146671 : return j==1 ? NULL : mkvec2(factorback(F), F);
978 : }
979 :
980 : GEN
981 146832 : gen_ellgroup(GEN N, GEN d, GEN *pt_m, void *E, const struct bb_group *grp,
982 : GEN pairorder(void *E, GEN P, GEN Q, GEN m, GEN F))
983 : {
984 146832 : pari_sp av = avma;
985 : GEN N0, N1, F;
986 146832 : if (pt_m) *pt_m = gen_1;
987 146832 : if (is_pm1(N)) return cgetg(1,t_VEC);
988 146671 : F = ellgroup_d2(N, d);
989 146671 : if (!F) {set_avma(av); return mkveccopy(N);}
990 65100 : N0 = gel(F,1); N1 = diviiexact(N, N0);
991 : while(1)
992 53916 : {
993 119016 : pari_sp av2 = avma;
994 : GEN P, Q, d, s, t, m;
995 :
996 119016 : P = grp->pow(E,grp->rand(E), N1);
997 119016 : s = gen_order(P, F, E, grp); if (equalii(s, N0)) {set_avma(av); return mkveccopy(N);}
998 :
999 95709 : Q = grp->pow(E,grp->rand(E), N1);
1000 95709 : t = gen_order(Q, F, E, grp); if (equalii(t, N0)) {set_avma(av); return mkveccopy(N);}
1001 :
1002 84380 : m = lcmii(s, t);
1003 84380 : d = pairorder(E, P, Q, m, F);
1004 : /* structure is [N/d, d] iff m d == N0. Note that N/d = N1 m */
1005 84380 : if (is_pm1(d) && equalii(m, N0)) {set_avma(av); return mkveccopy(N);}
1006 84212 : if (equalii(mulii(m, d), N0))
1007 : {
1008 30296 : GEN g = mkvec2(mulii(N1,m), d);
1009 30296 : if (!pt_m) return gerepilecopy(av, g);
1010 30296 : *pt_m = m; return gc_all(av, 2, &g, pt_m);
1011 : }
1012 53916 : set_avma(av2);
1013 : }
1014 : }
1015 :
1016 : GEN
1017 2716 : gen_ellgens(GEN D1, GEN d2, GEN m, void *E, const struct bb_group *grp,
1018 : GEN pairorder(void *E, GEN P, GEN Q, GEN m, GEN F))
1019 : {
1020 2716 : pari_sp ltop = avma, av;
1021 : GEN F, d1, dm;
1022 : GEN P, Q, d, s;
1023 2716 : F = get_arith_ZZM(D1);
1024 2716 : d1 = gel(F, 1), dm = diviiexact(d1,m);
1025 2716 : av = avma;
1026 : do
1027 : {
1028 6422 : set_avma(av);
1029 6422 : P = grp->rand(E);
1030 6422 : s = gen_order(P, F, E, grp);
1031 6422 : } while (!equalii(s, d1));
1032 2716 : av = avma;
1033 : do
1034 : {
1035 5031 : set_avma(av);
1036 5031 : Q = grp->rand(E);
1037 5031 : d = pairorder(E, grp->pow(E, P, dm), grp->pow(E, Q, dm), m, F);
1038 5031 : } while (!equalii(d, d2));
1039 2716 : return gerepilecopy(ltop, mkvec2(P,Q));
1040 : }
|
