static GEN
bound_for_coeff(long m, GEN rr, GEN *maxroot)
{
long i,r1, lrr=lg(rr);
GEN p1,b1,b2,B,M, C = matpascal(m-1);
for (r1=1; r1 < lrr; r1++)
if (typ(rr[r1]) != t_REAL) break;
r1--;
rr = gabs(rr,0); *maxroot = vecmax(rr);
for (i=1; i<lrr; i++)
if (gcmp(gel(rr,i), gen_1) < 0) gel(rr,i) = gen_1;
for (b1=gen_1,i=1; i<=r1; i++) b1 = gmul(b1, gel(rr,i));
for (b2=gen_1 ; i<lrr; i++) b2 = gmul(b2, gel(rr,i));
B = gmul(b1, gsqr(b2)); /* Mahler measure */
M = cgetg(m+2, t_VEC); gel(M,1) = gel(M,2) = gen_0; /* unused */
for (i=1; i<m; i++)
{
p1 = gadd(gmul(gcoeff(C, m, i+1), B),/* binom(m-1, i) */
gcoeff(C, m, i)); /* binom(m-1, i-1) */
gel(M,i+2) = ceil_safe(p1);
}
return M;
}
/* return a bound for T_2(P), P | polbase in C[X]
* NB: Mignotte bound: A | S ==>
* |a_i| <= binom(d-1, i-1) || S ||_2 + binom(d-1, i) lc(S)
*
* Apply to sigma(S) for all embeddings sigma, then take the L_2 norm over
* sigma, then take the sup over i.
**/
static GEN
nf_Mignotte_bound(GEN nf, GEN polbase)
{
GEN G = gmael(nf,5,2), lS = leading_term(polbase); /* t_INT */
GEN p1, C, N2, matGS, binlS, bin;
long prec, i, j, d = degpol(polbase), n = degpol(nf[1]), r1 = nf_get_r1(nf);
binlS = bin = vecbinome(d-1);
if (!gcmp1(lS)) binlS = gmul(lS, bin);
N2 = cgetg(n+1, t_VEC);
prec = gprecision(G);
for (;;)
{
nffp_t F;
matGS = cgetg(d+2, t_MAT);
for (j=0; j<=d; j++) gel(matGS,j+1) = arch_for_T2(G, gel(polbase,j+2));
matGS = shallowtrans(matGS);
for (j=1; j <= r1; j++) /* N2[j] = || sigma_j(S) ||_2 */
{
gel(N2,j) = gsqrt( QuickNormL2(gel(matGS,j), DEFAULTPREC), DEFAULTPREC );
if (lg(N2[j]) < DEFAULTPREC) goto PRECPB;
}
for ( ; j <= n; j+=2)
{
GEN q1 = QuickNormL2(gel(matGS,j ), DEFAULTPREC);
GEN q2 = QuickNormL2(gel(matGS,j+1), DEFAULTPREC);
p1 = gmul2n(mpadd(q1, q2), -1);
gel(N2,j) = gel(N2,j+1) = gsqrt( p1, DEFAULTPREC );
if (lg(N2[j]) < DEFAULTPREC) goto PRECPB;
}
if (j > n) break; /* done */
PRECPB:
prec = (prec<<1)-2;
remake_GM(nf, &F, prec); G = F.G;
if (DEBUGLEVEL>1) pari_warn(warnprec, "nf_factor_bound", prec);
}
/* Take sup over 0 <= i <= d of
* sum_sigma | binom(d-1, i-1) ||sigma(S)||_2 + binom(d-1,i) lc(S) |^2 */
/* i = 0: n lc(S)^2 */
C = mulsi(n, sqri(lS));
/* i = d: sum_sigma ||sigma(S)||_2^2 */
p1 = gnorml2(N2); if (gcmp(C, p1) < 0) C = p1;
for (i = 1; i < d; i++)
{
GEN s = gen_0;
for (j = 1; j <= n; j++)
{
p1 = mpadd( mpmul(gel(bin,i), gel(N2,j)), gel(binlS,i+1) );
s = mpadd(s, gsqr(p1));
}
if (gcmp(C, s) < 0) C = s;
}
return C;
}
static void
bestlift_init(long a, GEN nf, GEN pr, GEN C, nflift_t *L)
{
const long D = 100;
const double alpha = ((double)D-1) / D; /* LLL parameter */
const long d = degpol(nf[1]);
pari_sp av = avma;
GEN prk, PRK, B, GSmin, pk;
pari_timer ti;
TIMERstart(&ti);
if (!a) a = (long)bestlift_bound(C, d, alpha, pr_norm(pr));
for (;; avma = av, a<<=1)
{
if (DEBUGLEVEL>2) fprintferr("exponent: %ld\n",a);
PRK = prk = idealpows(nf, pr, a);
pk = gcoeff(prk,1,1);
/* reduce size first, "scramble" matrix */
PRK = lllintpartial_ip(PRK);
/* now floating point reduction is fast */
PRK = lllint_fp_ip(PRK, 4);
PRK = lllint_i(PRK, D, 0, NULL, NULL, &B);
if (!PRK) { PRK = prk; GSmin = pk; } /* nf = Q */
else
{
pari_sp av2 = avma;
GEN S = invmat( get_R(PRK) ), BB = GS_norms(B, DEFAULTPREC);
GEN smax = gen_0;
long i, j;
for (i=1; i<=d; i++)
{
GEN s = gen_0;
for (j=1; j<=d; j++)
s = gadd(s, gdiv( gsqr(gcoeff(S,i,j)), gel(BB,j)));
if (gcmp(s, smax) > 0) smax = s;
}
GSmin = gerepileupto(av2, ginv(gmul2n(smax, 2)));
}
if (gcmp(GSmin, C) >= 0) break;
}
if (DEBUGLEVEL>2)
fprintferr("for this exponent, GSmin = %Z\nTime reduction: %ld\n",
GSmin, TIMER(&ti));
L->k = a;
L->den = L->pk = pk;
L->prk = PRK;
L->iprk = ZM_inv(PRK, pk);
L->GSmin= GSmin;
L->prkHNF = prk;
init_proj(L, gel(nf,1), gel(pr,1));
}
static GEN
sqrmod(GEN x, Red *R) {
return R->red(gsqr(x), R);
}
/* Naive recombination of modular factors: combine up to maxK modular
* factors, degree <= klim and divisible by hint
*
* target = polynomial we want to factor
* famod = array of modular factors. Product should be congruent to
* target/lc(target) modulo p^a
* For true factors: S1,S2 <= p^b, with b <= a and p^(b-a) < 2^31 */
static GEN
nfcmbf(nfcmbf_t *T, GEN p, long a, long maxK, long klim)
{
GEN pol = T->pol, nf = T->nf, famod = T->fact, dn = T->dn;
GEN bound = T->bound;
GEN nfpol = gel(nf,1);
long K = 1, cnt = 1, i,j,k, curdeg, lfamod = lg(famod)-1, dnf = degpol(nfpol);
GEN res = cgetg(3, t_VEC);
pari_sp av0 = avma;
GEN pk = gpowgs(p,a), pks2 = shifti(pk,-1);
GEN ind = cgetg(lfamod+1, t_VECSMALL);
GEN degpol = cgetg(lfamod+1, t_VECSMALL);
GEN degsofar = cgetg(lfamod+1, t_VECSMALL);
GEN listmod = cgetg(lfamod+1, t_COL);
GEN fa = cgetg(lfamod+1, t_COL);
GEN lc = absi(leading_term(pol)), lt = is_pm1(lc)? NULL: lc;
GEN C2ltpol, C = T->L->topowden, Tpk = T->L->Tpk;
GEN Clt = mul_content(C, lt);
GEN C2lt = mul_content(C,Clt);
const double Bhigh = get_Bhigh(lfamod, dnf);
trace_data _T1, _T2, *T1, *T2;
pari_timer ti;
TIMERstart(&ti);
if (maxK < 0) maxK = lfamod-1;
C2ltpol = C2lt? gmul(C2lt,pol): pol;
{
GEN q = ceil_safe(sqrtr(T->BS_2));
GEN t1,t2, ltdn, lt2dn;
GEN trace1 = cgetg(lfamod+1, t_MAT);
GEN trace2 = cgetg(lfamod+1, t_MAT);
ltdn = mul_content(lt, dn);
lt2dn= mul_content(ltdn, lt);
for (i=1; i <= lfamod; i++)
{
pari_sp av = avma;
GEN P = gel(famod,i);
long d = degpol(P);
degpol[i] = d; P += 2;
t1 = gel(P,d-1);/* = - S_1 */
t2 = gsqr(t1);
if (d > 1) t2 = gsub(t2, gmul2n(gel(P,d-2), 1));
/* t2 = S_2 Newton sum */
t2 = typ(t2)!=t_INT? FpX_rem(t2, Tpk, pk): modii(t2, pk);
if (lt)
{
if (typ(t2)!=t_INT) {
t1 = FpX_red(gmul(ltdn, t1), pk);
t2 = FpX_red(gmul(lt2dn,t2), pk);
} else {
t1 = remii(mulii(ltdn, t1), pk);
t2 = remii(mulii(lt2dn,t2), pk);
}
}
gel(trace1,i) = gclone( nf_bestlift(t1, NULL, T->L) );
gel(trace2,i) = gclone( nf_bestlift(t2, NULL, T->L) ); avma = av;
}
T1 = init_trace(&_T1, trace1, T->L, q);
T2 = init_trace(&_T2, trace2, T->L, q);
for (i=1; i <= lfamod; i++) {
gunclone(gel(trace1,i));
gunclone(gel(trace2,i));
}
}
degsofar[0] = 0; /* sentinel */
/* ind runs through strictly increasing sequences of length K,
* 1 <= ind[i] <= lfamod */
nextK:
if (K > maxK || 2*K > lfamod) goto END;
if (DEBUGLEVEL > 3)
fprintferr("\n### K = %d, %Z combinations\n", K,binomial(utoipos(lfamod), K));
setlg(ind, K+1); ind[1] = 1;
i = 1; curdeg = degpol[ind[1]];
for(;;)
{ /* try all combinations of K factors */
for (j = i; j < K; j++)
{
degsofar[j] = curdeg;
ind[j+1] = ind[j]+1; curdeg += degpol[ind[j+1]];
}
if (curdeg <= klim && curdeg % T->hint == 0) /* trial divide */
{
GEN t, y, q, list;
pari_sp av;
av = avma;
/* d - 1 test */
if (T1)
{
t = get_trace(ind, T1);
if (rtodbl(QuickNormL2(t,DEFAULTPREC)) > Bhigh)
{
if (DEBUGLEVEL>6) fprintferr(".");
avma = av; goto NEXT;
}
}
/* d - 2 test */
if (T2)
{
t = get_trace(ind, T2);
if (rtodbl(QuickNormL2(t,DEFAULTPREC)) > Bhigh)
{
if (DEBUGLEVEL>3) fprintferr("|");
avma = av; goto NEXT;
}
}
avma = av;
y = lt; /* full computation */
for (i=1; i<=K; i++)
{
GEN q = gel(famod, ind[i]);
if (y) q = gmul(y, q);
y = FqX_centermod(q, Tpk, pk, pks2);
}
y = nf_pol_lift(y, bound, T);
if (!y)
{
if (DEBUGLEVEL>3) fprintferr("@");
avma = av; goto NEXT;
}
/* try out the new combination: y is the candidate factor */
q = RgXQX_divrem(C2ltpol, y, nfpol, ONLY_DIVIDES);
if (!q)
{
if (DEBUGLEVEL>3) fprintferr("*");
avma = av; goto NEXT;
}
/* found a factor */
list = cgetg(K+1, t_VEC);
gel(listmod,cnt) = list;
for (i=1; i<=K; i++) list[i] = famod[ind[i]];
y = Q_primpart(y);
gel(fa,cnt++) = QXQX_normalize(y, nfpol);
/* fix up pol */
pol = q;
for (i=j=k=1; i <= lfamod; i++)
{ /* remove used factors */
if (j <= K && i == ind[j]) j++;
else
{
famod[k] = famod[i];
update_trace(T1, k, i);
update_trace(T2, k, i);
degpol[k] = degpol[i]; k++;
}
}
lfamod -= K;
if (lfamod < 2*K) goto END;
i = 1; curdeg = degpol[ind[1]];
if (C2lt) pol = Q_primpart(pol);
if (lt) lt = absi(leading_term(pol));
Clt = mul_content(C, lt);
C2lt = mul_content(C,Clt);
C2ltpol = C2lt? gmul(C2lt,pol): pol;
if (DEBUGLEVEL > 2)
{
fprintferr("\n"); msgTIMER(&ti, "to find factor %Z",y);
fprintferr("remaining modular factor(s): %ld\n", lfamod);
}
continue;
}
NEXT:
for (i = K+1;;)
{
if (--i == 0) { K++; goto nextK; }
if (++ind[i] <= lfamod - K + i)
{
curdeg = degsofar[i-1] + degpol[ind[i]];
if (curdeg <= klim) break;
}
}
}
END:
if (degpol(pol) > 0)
{ /* leftover factor */
if (signe(leading_term(pol)) < 0) pol = gneg_i(pol);
if (C2lt && lfamod < 2*K) pol = QXQX_normalize(Q_primpart(pol), nfpol);
setlg(famod, lfamod+1);
gel(listmod,cnt) = shallowcopy(famod);
gel(fa,cnt++) = pol;
}
if (DEBUGLEVEL>6) fprintferr("\n");
if (cnt == 2) {
avma = av0;
gel(res,1) = mkvec(T->pol);
gel(res,2) = mkvec(T->fact);
}
else
{
setlg(listmod, cnt); setlg(fa, cnt);
gel(res,1) = fa;
gel(res,2) = listmod;
res = gerepilecopy(av0, res);
}
return res;
}
void mimc_perm_gadget<field_type>::snark_perm() {
field_type x = input_state;
field_type tmp;
int index = varCount;
index += 1;
//mimc_snarkboard<field_type> pb;
snarkvar<field_type> X, Y, Z;
for(int i = 0;i < num_round;i++) {
linear_term<field_type> u(0, fONE, key);
X.add_var(u);
u.reset(index, fONE, x);
index++;
X.add_var(u);
Y.clear();
Y = X;
u.reset(index, fONE, fZERO);
Z.clear();
Z.add_var(u);
index++;
// std::cout<<"BEFORE SQR\n\n";
// std::cout<<"X ->\n";X.print_snarkvar();
// std::cout<<"Y ->\n";Y.print_snarkvar();
// std::cout<<"Z ->\n";Z.print_snarkvar();
f2n_sqr_gadget<field_type> gsqr(&X, &Z, mptr);
gsqr.generate_r1cs_constraint();
gsqr.generate_r1cs_witness();
// std::cout<<"AFTER SQR\n\n";
// std::cout<<"X ->\n";X.print_snarkvar();
// std::cout<<"Y ->\n";Y.print_snarkvar();
// std::cout<<"Z ->\n";Z.print_snarkvar();
Z.lc[0].var_val = Z.lc_val;
X.clear();
X = Z;
Z.clear();
u.reset(index, fONE, fZERO);
Z.add_var(u);
// std::cout<<"BEFORE MUL\n\n";
// std::cout<<"X ->\n";X.print_snarkvar();
// std::cout<<"Y ->\n";Y.print_snarkvar();
// std::cout<<"Z ->\n";Z.print_snarkvar();
f2n_mul_gadget<field_type> gmul(&X, &Y, &Z, mptr);
gmul.generate_r1cs_constraint();
gmul.generate_r1cs_witness();
// std::cout<<"AFTER MUL\n\n";
// std::cout<<"X ->\n";X.print_snarkvar();
// std::cout<<"Y ->\n";Y.print_snarkvar();
// std::cout<<"Z ->\n";Z.print_snarkvar();
X.clear();
x = Z.lc_val;
Y.clear();
}
}