void pbc_param_init_d_gen(pbc_param_ptr p, pbc_cm_ptr cm) {
d_param_init(p);
d_param_ptr param = p->data;
field_t Fq, Fqx, Fqd;
element_t irred, nqr;
int d = cm->k / 2;
int i;
compute_cm_curve(param, cm);
field_init_fp(Fq, param->q);
field_init_poly(Fqx, Fq);
element_init(irred, Fqx);
do {
poly_random_monic(irred, d);
} while (!poly_is_irred(irred));
field_init_polymod(Fqd, irred);
// Find a quadratic nonresidue of Fqd lying in Fq.
element_init(nqr, Fqd);
do {
element_random(((element_t *) nqr->data)[0]);
} while (element_is_sqr(nqr));
param->coeff = pbc_realloc(param->coeff, sizeof(mpz_t) * d);
for (i=0; i<d; i++) {
mpz_init(param->coeff[i]);
element_to_mpz(param->coeff[i], element_item(irred, i));
}
element_to_mpz(param->nqr, ((element_t *) nqr->data)[0]);
element_clear(nqr);
element_clear(irred);
field_clear(Fqx);
field_clear(Fqd);
field_clear(Fq);
}
int main(void) {
field_t fp, fx;
mpz_t prime;
darray_t list;
int p = 7;
// Exercise poly_is_irred() with a sieve of Erastosthenes for polynomials.
darray_init(list);
mpz_init(prime);
mpz_set_ui(prime, p);
field_init_fp(fp, prime);
field_init_poly(fx, fp);
element_t e;
element_init(e, fp);
// Enumerate polynomials in F_p[x] up to degree 2.
int a[3], d;
a[0] = a[1] = a[2] = 0;
for(;;) {
element_ptr f = pbc_malloc(sizeof(*f));
element_init(f, fx);
int j;
for(j = 0; j < 3; j++) {
element_set_si(e, a[j]);
poly_set_coeff(f, e, j);
}
// Test poly_degree().
for(j = 2; !a[j] && j >= 0; j--);
EXPECT(poly_degree(f) == j);
// Add monic polynomials to the list.
if (j >= 0 && a[j] == 1) darray_append(list, f);
else {
element_clear(f);
free(f);
}
// Next!
d = 0;
for(;;) {
a[d]++;
if (a[d] >= p) {
a[d] = 0;
d++;
if (d > 2) goto break2;
} else break;
}
}
break2: ;
// Find all composite monic polynomials of degree 3 or less.
darray_t prodlist;
darray_init(prodlist);
void outer(void *data) {
element_ptr f = data;
void inner(void *data2) {
element_ptr g = data2;
if (!poly_degree(f) || !poly_degree(g)) return;
if (poly_degree(f) + poly_degree(g) > 3) return;
element_ptr h = pbc_malloc(sizeof(*h));
element_init(h, fx);
element_mul(h, f, g);
darray_append(prodlist, h);
EXPECT(!poly_is_irred(h));
}
void pbc_param_init_f_gen(pbc_param_t p, int bits) {
f_init(p);
f_param_ptr fp = p->data;
//36 is a 6-bit number
int xbit = (bits - 6) / 4;
//TODO: use binary search to find smallest appropriate x
mpz_t x, t;
mpz_ptr q = fp->q;
mpz_ptr r = fp->r;
mpz_ptr b = fp->b;
field_t Fq, Fq2, Fq2x;
element_t e1;
element_t f;
field_t c;
element_t P;
mpz_init(x);
mpz_init(t);
mpz_setbit(x, xbit);
for (;;) {
mpz_mul(t, x, x);
mpz_mul_ui(t, t, 6);
mpz_add_ui(t, t, 1);
tryminusx(q, x);
mpz_sub(r, q, t);
mpz_add_ui(r, r, 1);
if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
tryplusx(q, x);
mpz_sub(r, q, t);
mpz_add_ui(r, r, 1);
if (mpz_probab_prime_p(q, 10) && mpz_probab_prime_p(r, 10)) break;
mpz_add_ui(x, x, 1);
}
field_init_fp(Fq, q);
element_init(e1, Fq);
for (;;) {
element_random(e1);
field_init_curve_b(c, e1, r, NULL);
element_init(P, c);
element_random(P);
element_mul_mpz(P, P, r);
if (element_is0(P)) break;
element_clear(P);
field_clear(c);
}
element_to_mpz(b, e1);
element_clear(e1);
field_init_quadratic(Fq2, Fq);
element_to_mpz(fp->beta, field_get_nqr(Fq));
field_init_poly(Fq2x, Fq2);
element_init(f, Fq2x);
// Find an irreducible polynomial of the form f = x^6 + alpha.
// Call poly_set_coeff1() first so we can use element_item() for the other
// coefficients.
poly_set_coeff1(f, 6);
for (;;) {
element_random(element_item(f, 0));
if (poly_is_irred(f)) break;
}
//extend F_q^2 using f = x^6 + alpha
//see if sextic twist contains a subgroup of order r
//if not, it's the wrong twist: replace alpha with alpha^5
{
field_t ctest;
element_t Ptest;
mpz_t z0, z1;
mpz_init(z0);
mpz_init(z1);
element_init(e1, Fq2);
element_set_mpz(e1, fp->b);
element_mul(e1, e1, element_item(f, 0));
element_neg(e1, e1);
field_init_curve_b(ctest, e1, r, NULL);
element_init(Ptest, ctest);
element_random(Ptest);
//I'm not sure what the #E'(F_q^2) is, but
//it definitely divides n_12 = #E(F_q^12). It contains a
//subgroup of order r if and only if
//(n_12 / r^2)P != O for some (in fact most) P in E'(F_q^6)
mpz_pow_ui(z0, q, 12);
mpz_add_ui(z0, z0, 1);
pbc_mpz_trace_n(z1, q, t, 12);
mpz_sub(z1, z0, z1);
mpz_mul(z0, r, r);
mpz_divexact(z1, z1, z0);
element_mul_mpz(Ptest, Ptest, z1);
if (element_is0(Ptest)) {
mpz_set_ui(z0, 5);
element_pow_mpz(element_item(f, 0), element_item(f, 0), z0);
}
element_clear(e1);
element_clear(Ptest);
field_clear(ctest);
mpz_clear(z0);
mpz_clear(z1);
}
element_to_mpz(fp->alpha0, element_x(element_item(f, 0)));
element_to_mpz(fp->alpha1, element_y(element_item(f, 0)));
element_clear(f);
field_clear(Fq2x);
field_clear(Fq2);
field_clear(Fq);
mpz_clear(t);
mpz_clear(x);
}
