void pbc_param_init_e_gen(pbc_param_t par, int rbits, int qbits) {
e_init(par);
e_param_ptr p = par->data;
//3 takes 2 bits to represent
int hbits = (qbits - 2) / 2 - rbits;
mpz_ptr q = p->q;
mpz_ptr r = p->r;
mpz_ptr h = p->h;
mpz_t n;
field_t Fq;
field_t cc;
element_t j;
int found = 0;
//won't find any curves is hbits is too low
if (hbits < 3) hbits = 3;
mpz_init(n);
do {
int i;
mpz_set_ui(r, 0);
if (rand() % 2) {
p->exp2 = rbits - 1;
p->sign1 = 1;
} else {
p->exp2 = rbits;
p->sign1 = -1;
}
mpz_setbit(r, p->exp2);
p->exp1 = (rand() % (p->exp2 - 1)) + 1;
//use q as a temp variable
mpz_set_ui(q, 0);
mpz_setbit(q, p->exp1);
if (p->sign1 > 0) {
mpz_add(r, r, q);
} else {
mpz_sub(r, r, q);
}
if (rand() % 2) {
p->sign0 = 1;
mpz_add_ui(r, r, 1);
} else {
p->sign0 = -1;
mpz_sub_ui(r, r, 1);
}
if (!mpz_probab_prime_p(r, 10)) continue;
for (i=0; i<10; i++) {
//use q as a temp variable
mpz_set_ui(q, 0);
mpz_setbit(q, hbits + 1);
pbc_mpz_random(h, q);
mpz_mul(h, h, h);
mpz_mul_ui(h, h, 3);
//finally q takes the value it should
mpz_mul(n, r, r);
mpz_mul(n, n, h);
mpz_add_ui(q, n, 1);
if (mpz_probab_prime_p(q, 10)) {
found = 1;
break;
}
}
} while (!found);
/*
do {
mpz_set_ui(r, 0);
mpz_setbit(r, rbits);
pbc_mpz_random(r, r);
mpz_nextprime(r, r);
mpz_mul(n, r, r);
mpz_mul_ui(n, n, 3);
mpz_add_ui(q, n, 1);
} while (!mpz_probab_prime_p(q, 10));
*/
field_init_fp(Fq, q);
element_init(j, Fq);
element_set_si(j, 1);
field_init_curve_b(cc, j, n, NULL);
element_clear(j);
// We may need to twist it.
{
// Pick a random point P and twist the curve if P has the wrong order.
element_t P;
element_init(P, cc);
element_random(P);
element_mul_mpz(P, P, n);
if (!element_is0(P)) field_reinit_curve_twist(cc);
element_clear(P);
}
element_to_mpz(p->a, curve_field_a_coeff(cc));
element_to_mpz(p->b, curve_field_b_coeff(cc));
mpz_clear(n);
}
// Computes a curve and sets fp to the field it is defined over using the
// complex multiplication method, where cm holds the appropriate information
// (e.g. discriminant, field order).
static void compute_cm_curve(d_param_ptr param, pbc_cm_ptr cm) {
element_t hp, root;
field_t fp, fpx;
field_t cc;
field_init_fp(fp, cm->q);
field_init_poly(fpx, fp);
element_init(hp, fpx);
mpz_t *coefflist;
int n = (int)pbc_hilbert(&coefflist, cm->D);
// Temporarily set the coefficient of x^{n-1} to 1 so hp has degree n - 1,
// allowing us to use poly_coeff().
poly_set_coeff1(hp, n - 1);
int i;
for (i = 0; i < n; i++) {
element_set_mpz(element_item(hp, i), coefflist[i]);
}
pbc_hilbert_free(coefflist, n);
// TODO: Remove x = 0, 1728 roots.
// TODO: What if there are no roots?
//printf("hp ");
//element_out_str(stdout, 0, hp);
//printf("\n");
element_init(root, fp);
poly_findroot(root, hp);
//printf("root = ");
//element_out_str(stdout, 0, root);
//printf("\n");
element_clear(hp);
field_clear(fpx);
// The root is the j-invariant of the desired curve.
field_init_curve_j(cc, root, cm->n, NULL);
element_clear(root);
// We may need to twist it.
{
// Pick a random point P and twist the curve if it has the wrong order.
element_t P;
element_init(P, cc);
element_random(P);
element_mul_mpz(P, P, cm->n);
if (!element_is0(P)) field_reinit_curve_twist(cc);
element_clear(P);
}
mpz_set(param->q, cm->q);
mpz_set(param->n, cm->n);
mpz_set(param->h, cm->h);
mpz_set(param->r, cm->r);
element_to_mpz(param->a, curve_field_a_coeff(cc));
element_to_mpz(param->b, curve_field_b_coeff(cc));
param->k = cm->k;
{
mpz_t z;
mpz_init(z);
// Compute order of curve in F_q^k.
// n = q - t + 1 hence t = q - n + 1
mpz_sub(z, param->q, param->n);
mpz_add_ui(z, z, 1);
pbc_mpz_trace_n(z, param->q, z, param->k);
mpz_pow_ui(param->nk, param->q, param->k);
mpz_sub_ui(z, z, 1);
mpz_sub(param->nk, param->nk, z);
mpz_mul(z, param->r, param->r);
mpz_divexact(param->hk, param->nk, z);
mpz_clear(z);
}
field_clear(cc);
field_clear(fp);
}
